List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.
Prevalence in Visual Studio Code community
79 packages
found in
Top 100
622 packages
found in
Top 1k
4233 packages
found in
Top 10k
29.36k packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider an alternative delivery mechanism for software packages.
Problem
Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.
Prevalence in Visual Studio Code community
8 packages
found in
Top 100
49 packages
found in
Top 1k
130 packages
found in
Top 10k
479 packages
in community
Next steps
Remove private debug database files from the software package before you release it.
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. A port number is associated with a network address of a host, such as an IP address, and the type of network protocol used for communication. Within URLs, the ports are optional. Ports can be specified in a URL immediately following the domain name. Each network protocol, or schema, has a set of standard ports on which the service operates. This issue is raised when a mismatch between a network protocol and its expected port number is detected. While the presence of non-standard ports does not imply malicious intent, all of their uses in a software package should be documented and approved.
Prevalence in Visual Studio Code community
79 packages
found in
Top 100
560 packages
found in
Top 1k
2912 packages
found in
Top 10k
17.75k packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider changing the port to one that is standard for the networking protocol.
Problem
Private keys and certificates are considered sensitive information that should not be included in released software packages. However, developers frequently release sensitive information alongside their applications to facilitate automated software testing. Testing keys and certificates often proliferate through the software supply chain. When such information gets shared publicly, it is catalogued by file reputation databases. Any private key and certificate files seen by a file reputation database prior to configured time threshold can be automatically suppressed. Commonly shared sensitive information is not considered to be secret.
Prevalence in Visual Studio Code community
52 packages
found in
Top 100
399 packages
found in
Top 1k
1849 packages
found in
Top 10k
9.29k packages
in community
Next steps
Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Problem
Unicode is a text encoding standard designed to support the use of text written in all of the major languages and writing systems. While most languages are written from left to right, some are written in alternative directions. To accommodate encoding text written in such languages, the Unicode standard includes a number of special characters that allow the text direction to be specified. However, changing text direction can have adverse effects on how the encoded text is displayed and interpreted. For this reason, bidirectional Unicode control characters are commonly abused by malicious actors as a means of bypassing security solutions and avoiding detection. While presence of special Unicode characters does not imply malicious intent, all of its uses in a software package should be documented and approved. One example of acceptable use for these special characters is in script files that parse, validate, and transform Unicode-encoded text.
Prevalence in Visual Studio Code community
67 packages
found in
Top 100
487 packages
found in
Top 1k
2562 packages
found in
Top 10k
13.67k packages
in community
Next steps
Investigate reported detections as indicators of software tampering.